Understanding Windows Server 2008 DFS-N by analyzing network traces


1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System – Namespaces) clients by looking at network traces. 
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.

# Name FQDN IP Role Details
1 DC DC.josebda.local 10.1.1.1 DNS, Domain Controller DNS Server for zone josebda.local
Only DC for josebda.local domain
2 NS NS.josebda.local 10.1.1.2 File Server, DFS Namespace Server Hosts namespace \josebdaNS1
Includes a folder \josebdaNS1Folder1
Target for that folder is \fs.josebda.localShare1
3 FS FS.josebda.local 10.1.1.3 File Server Hosts the share \fs.josebda.localShare1
4 CL CL.josebda.local 10.1.1.4 Client Where the command lines are run
Running Network Monitor

All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:

  • To clear the DFS-N domain cache: DFSUTIL cache domain flush
  • To clean the DFS-N referral cache: DFSUTIL cache referral flush
  • To clear the cached Kerberos tickets: KLIST purge
  • To clear the DNS cache: IPCONFIG /flushdns
  • To clear the ARP cache: ARP –d * 

Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:Usersadministrator>ping fs.josebda.local

Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data:

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Reply from 10.1.1.3: bytes=32 time<1ms TTL=128

Ping statistics for 10.1.1.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:Usersadministrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL DC DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL ARP ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL DC ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC CL DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Response – Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

DFSNM1

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).

First, here is the actual command used (in bold) and its output.

C:Usersadministrator>dir \fs.josebda.localshare1

 Volume in drive \fs.josebda.localshare1 has no label.

 Volume Serial Number is 68CD-6098

Directory of \fs.josebda.localshare1

04/10/2009  10:06 PM    <DIR>          .

04/10/2009  10:06 PM    <DIR>          ..

04/10/2009  10:06 PM                15 File1.txt

               1 File(s)             15 bytes

               2 Dir(s)  11,459,997,696 bytes free

C:Usersadministrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3
CL DC DNS DNS:QueryId = 0x5667, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x5667, QUERY (Standard query), Response – Success, 10.1.1.3
5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
5.4. CL negotiates a TCP session with FS on port 445 (SMB)
CL FS TCP TCP:Flags=……S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=…A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=…A…., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328
5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for  the domain.
CL DC TCP TCP:Flags=……S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=…A…., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=…AP…, SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 – 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0
5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=……S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=…A…., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=…AP…, SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 – 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
5.8. The SMB session is setup (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=…A…., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
5.9. CL connects to \fs.josebda.localIPC$ tree, gets referral for \fs.josebda.localshare1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\fs.josebda.localIPC$, Mid = 2
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS DFS DFS:Get DFS Referral Request, FileName: fs.josebda.localshare1, MaxReferralLevel: 4
FS CL SMB2 SMB2:R , Mid = 3 – NT Status: System – Error, Code = (412) STATUS_FS_DRIVER_REQUIRED
5.10. CL connects to \fs.josebda.localshare1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\fs.josebda.localshare1, Mid = 4
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 4
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 6
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8
CL FS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11
FS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 11
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 12
5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS
CL FS TCP TCP:Flags=…A…., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 13
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 13
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 14
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 14
CL FS SMB2 SMB2:C  LOGOFF (0x2), Mid = 15
FS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 15
CL FS TCP TCP:Flags=…A…F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=…A…., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072
CL FS TCP TCP:[Segment Lost]Flags=…A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=…A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

 

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).

First, here is the actual command used (in bold) and its output.

C:Usersadministrator>dir \josebda.localns1

 Volume in drive \josebda.localns1 has no label.

 Volume Serial Number is 34A5-C4AB

 Directory of \josebda.localns1

04/10/2009  10:08 PM    <DIR>          .

04/10/2009  10:08 PM    <DIR>          ..

04/10/2009  10:08 PM    <DIR>          Folder1

               0 File(s)              0 bytes

               3 Dir(s)  11,448,500,224 bytes free

 

C:Usersadministrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x7447, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x7447, QUERY (Standard query), Response – Success, 10.1.1.1
6.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=……S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=…A…., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328
6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL DC TCP TCP:Flags=……S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=…A…., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=…AP…, SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 – 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=……S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=…A…., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=…AP…, SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 – 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=…A…F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
6.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=……S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=…A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=…A…., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=…A…F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792
6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=…A…., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A…., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=…A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.9. CL connects to tree \dc.josebda.localIPC$, asks DFS for a referral for “josebda.local”, then “josebda.localns1”
Comments (3)

  1. Anonymous says:

    Jose Barreto has a new blog post covering details of the behavior of Windows Server 2008 DFS-N (Distributed

  2. Anonymous says:

    Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N

  3. Anonymous says:

    Pessoal, Esta semana o Jose Barreto publicou um artigo muito interessante sobre Windows Server 2008 DFS-N